Why stockpiling hard drives can be harmful to your business

In This Issue:

Why stockpiling hard drives can be harmful to your business

the need for proper electronic media destruction protocols

In this issue, we will discuss how stockpiling your old hard drives makes your organisation more vulnerable. This begs the question: why take the risk?

Many British businesses, both large and small, may not realise that the most effective way to properly dispose of hard drives and electronic media is to destroy them. The issue is new enough that many companies’ security protocols and procedures don’t account for unused hard drives and electronic media. Instead, businesses often stockpile items with confidential information on them indefinitely, locked away in a cupboard or storage area. Shred-it’s 2014 Information Security Tracker survey, which assessed the opinions of small and large businesses, discovered that 15 per cent of large organisations and nearly a third of small ones (32%) have never disposed of hardware containing confidential data. Despite both the short and long-term negative consequences, many UK businesses appear to follow this process because they are unaware of the risks to themselves and their customers.

1. It's under lock and key so it's secure, right?

As technology evolves, misconceptions have emerged about hard drive and electronic media security. For example, locking up old hard drives in an IT closet or an off-site storage facility is often perceived as a safe option, despite being a target for data thieves. Even if organisations use software to erase, wipe, reformat and degauss electronic devices, it may not fully protect you - confidential data from obsolete hard drives can still end up in the wrong hands. Carelessness is just as dangerous, with improper destruction potentially leading to a costly breach that could damage your company’s reputation. This begs the questions, why risk it?

Shred-it’s 2012 Information Security Tracker survey, which assessed the opinions of small and large businesses, demonstrated that 50 per cent of UK businesses mistakenly thought that erasing, wiping or degaussing their devices before recycling them was enough to protect their confidential information from being lost or stolen. Another 14 per cent of British businesses indicated that they simply recycled their old electronic media. Further, 13 per cent said they didn’t know how their business was disposing of its aging or obsolete computers, or other data-storing devices such as smartphones or photocopiers. Given the importance of destroying a hard drive, it’s startling to think that only 23 per cent of businesses across the UK reported using this method of destruction.

2. But we are secure - this would never happen to our company!

Could it though? In June 2012, the Information Commissioner’s Office (ICO) fined a hospital trust
£325,000 after computer hard drives containing confidential information on thousands of patients
were stolen. Sensitive personal data was discovered on hard drives sold on an internet auction site.
The hard drives contained staff details including national insurance numbers, home addresses, ward
and hospital IDs, and information referring to criminal convictions and suspected offences.1

Just over a year later, in July 2013, another hefty penalty of £200,000 was levied against another NHS
trust following the discovery of thousands of children’s patient records on a second-hand computer
that was auctioned online. Regulators said the trust failed to check that a data destruction company
had properly disposed of the records. The data destruction company had offered free disposal of
the computers in exchange for the sale of salvageable materials and had promised to crush the hard
disks, but the health trust had failed to monitor the destruction process, the ICO ruled, and did not
have a contract in place that explained the legal requirements of the data destruction.2

You might be quick to point out that this is not your business as this occurred in the public sector and you may think that it wouldn’t happen to you. However, in 2013 the UK’s private sector accounted for more than a third of all reported data breaches and resulting fines (41%).3 You may follow policies and procedures, but do all of your employees do the same? These information breaches have onceagain raised red flags around workplace policies and procedures.

Below is a list of best practices to implement in your workplace to avoid data theft:

Consider performing regular clean-outs of storage facilities and avoid stockpiling old, unused hard drives. The Data Protection Act stipulates that personal data should not be kept for longer than the purpose for which it was collected in the first place — so even the simple act of storing them could mean you are breaking the law

Destroy all unused hard drives at the end of their useful life. If using a third-party provider to do this for you, check they have a secure chain of custody to help give you peace of mind and ensure your data is being kept out of the hands of fraudsters

3. Why put your company at risk?

The cost to destroy hard drives is minimal when compared to the potential risks faced when you don’t. Shred-it, the world leader in secure information destruction, can permanently destroy confidential information at a low cost that will fit your budget. Not only that, hard drive destruction is the most effective way to permanently destroy all information. Shred-it’s secure chain of custody guarantees secure destruction, with a Certificate of Destruction issued for your files. At the end of the day, Shred-it’s Hard Drive Destruction Service will offer more than just a certificate; it offers the peace of mind you deserve.